A short history of Christmas malware

Filed Under: Malware

Since the very earliest days of computer viruses, malware authors have been inspired by the Christmas holidays when developing attacks.

Here's a quick, and probably incomplete, history of some of the Christmas-related malware that we have seen over the years.

Christmas 1987
"Christmas Tree" (also known as "CHRISTMA EXEC"), which spread in December 1987, was an early example of an email-aware worm.

Using the subject line

"Let this exec run and enjoy yourself!"

the worm would display EBCDIC character art of a Christmas tree and forward itself via email to other users if activated.

Chrismas Tree Exec

The worm was blamed on a German student, who claimed he just wanted to send greetings to his friends.

In 1990, the Christmas Tree worm resurfaced, forcing IBM to shut down its 350,000 network of terminals.

Christmas 1999
The WM97/Melissa-AG virus (also known as Prilissa) infected Microsoft word documents, spreading via email using the subject line

Message from <username>

and the message text:

This document is very Important and you've GOT to read this !!!

Opening the attached DOC file, however, would infect your computer. The payload would trigger on December 25th, displaying a message:

Prilissa message

and inserting randomly coloured blocks in the current Word document.

Prilissa payload

As a final destructive gesture, the virus would attempt to format the C: drive on the next reboot.

Meanwhile, rumours were spreading far and wide that a game called "Elf Bowling" was infected with a computer virus.

The game which showed Santa Claus trying to knock down a pack of elves with a bowling ball, caused panic amongst companies terrified of computer viruses, and Sophos was deluged with requests for more information about the "virus" which was said to trigger on December 25th.

Elfbowling

A typical warning being spread across the internet read:

If anyone has sent you, a game called "elfbowl.exe" (cool> game, tenpin bowling with little elves as pins), it apparently has a virus that will be activated on December 25th. Either take a risk, or delete before then.

However, all copies of the game examined by Sophos researchers were found to be uninfected, and the warnings were nothing more than a hoax wasting users' time.

Sophos's staff did enjoy testing the game intensively, however.

Christmas 2000
The W32/Navidad virus spead via email, masquerading as an electronic Christmas card.

Infected computers could be identified by the mysterious blue eye icons it would place in the Windows system tray.

Navidad eyes

Users who moved their mouse cursor over the eyes would be presented with a variety of different messages:

Navidad virus

Another example of malware which tried to leave its mark on the holiday season in 2000 was the W32/Music email-aware worm.

Sending out messages similar to "Hi, just testing email using Merry Christmas music file, you'll like it.", the worm was attached as a file called music.com, music.exe or music.zip.

W32/Music worm

When run the worm attempts to play the first few bars of the song "We wish you a Merry Christmas" and displays a cartoon of Santa Claus with the caption "Music is playing, turn on your speaker if you have one" or "There is error in your sound system, music can't be heard."

Christmas 2001
The Maldal virus spread via email, again using the tried-and-trusted technique of pretending to be a seasonal electronic greeting card called Christmas.exe.

Maldal virus

Once installed, the Maldal malware would display a picture of Santa Claus on skis accompanied by a prancing reindeer, with the message "From the heart, Happy new year!".

Maldal virus

Christmas 2004
The Zafi-D virus spread fear rather than cheer, attached to emails offering offering seasonal greetings. The virus, created in Hungary, could communicate in a variety of languages - spreading messages such as "FW: Merry Christmas", "Joyeux Noel!" and "Feliz Navidad!"

In a somewhat un-Christmassy twist, it embedded a vulgar animated GIF graphic of two "smiley" faces which appeared to be enjoying themselves in a way that would make Rudolph the reindeer red-faced as well as red-nosed.

Zafi-D virus

At its height, a staggering one in every ten emails was infected by the Zafi-D virus.

Christmas 2007
The creators of the Dorf-AE worm (also known as the Storm worm) launched an attack that posed as a sexy striptease being performed by none other than the wife of Santa Claus.

Using a wide variety of subject lines, including "Your Secret Santa", "Santa Said, HO HO HO", "Warm Up this Christmas" and "Mrs. Clause Is Out Tonight!", the emails attempted to direct internet users to a website containing images of scantily clad young women in a Santa suit.

Santa striptease

Christmas 2009
The pesky Koobface worm, which targets users of social networks such as Facebook, adopted a Christmas disguise by hiding on a Santa-themed webpage.

Christmas Koobface

The webpage pretended that you need to install an update to Adobe Flash Player but that was, of course, in reality a carrier for a version of the worm.

There are, no doubt, plenty of other examples of Christmas-related malware we have seen in the past - but hopefully this gives you an insight into some of the more visual examples we have seen in the past at least.

Remember that you need to take computer security seriously all year around - don't let your guard drop and don't fall into bad habits just because it's the holiday season. My colleague Paul Ducklin has written up some guidelines for staying safe online this Christmas, and even made a cheery video to get you in the mood.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

, ,

You might like

7 Responses to A short history of Christmas malware

  1. Nice job pulling this chronology of not-so-merry mayhem together.

  2. Rob · 1216 days ago

    memories not all so good ones those pesky elves!

  3. Loz · 1215 days ago

    Really appreciate the trouble you've gone to to make us Sophos users more aware of the subtle threats to our PC's ..... especially around this time......
    Thanks.....

  4. can you give me more information about the Maldal Virus?

  5. Andy · 850 days ago

    Old people like me even remember the Christmas Tree worm !
    Nice nostalgic look back :-)

  6. woody188 · 848 days ago

    1998 - CIH virus was spread in a holiday lights program (lights.exe?) that would display a tiny strand of twinkly Christmas lights all around the edges of your monitor. Unhappy day on April 26, 1999 when the payload triggers and wipes the PC BIOS. :(

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.